[milters] Archive

Lists Index Date Thread Search

Article: 117
From: Anthony Howe
Date: 2004-10-01 06:06:29 -0400
Subject: Re: How to cope with big big big but braindead ISPs

Removal...........: milters-request@milter.info?subject=remove
More information..: http://www.milter.info/#Support
--------------------------------------------------------

Sascha Vogt wrote:

> Now this ISP, lets call them AON from now on, uses 12 dedicated 
> SMTP-Servers to deliver mail of their dialup and DSL-customers. They are 
> called email01... to email12.aon.at. Dont ask me why but if you dig for one 
> of these hosts in DNS you will learn they are using RFC 1918 addresses for 
> them and have no MX-Records defined.
> 
> For incoming traffic they have another one, called email.aon.at with a real 
> IP-Address and of course the MX-Record of aon.at is pointing to that host.
> 
> So of course milter-sender refuses to accept mail from these 12 servers and 
> gives them a nice errormessage explaining that they are violating RFC 3330 
> and some other and therefore are f*cking loosers.
> Wonderfull, really nice :-)
> 
> But...
> 
> 40% Marketshare, are FOURTY PERCENT! Thousands of employes... A call-center 
> with at least three levels to filter callers before they might get in touch 
> with a person who might have heard something like RFCs exists...
> 
> And of course nobody would expect somebody to read the log-files of those 
> 12 servers...
> 
> And my users are moaning for mail of their beloved ones...
> 
> But being a real fan of Marks milters I wouldn't open some those options in 

Mark?  Who's Mark?  milter-sender is written by Anthony.  Hmm. Sounds 
like a Copyright violation to me.

> milter-sender or generally white-list aon.at-users. Here's my way to handle 
> such a braindead ISP.

Since email*.aon.at publish RFC 3330 in public internet space, which is 
a stupid thing to do, but some universities and other supposedly clever 
institutions are too lazy to setup a private internal DNS.

	email12.aon.at.         1D IN A         172.18.5.90

This is a private B class network, so make sure milter-sender.cf specifies:

	ClientRejectPrivateB=0
	HeloRejectPrivateB=0

Also you want to disable

	ClientIsForged=0

since the reverse PTR lookup and forward DNS will never work. This might 
also be required:

	ClientNeedsPTR=0

> Make entries for those hosts with RFC-1918 addresses in your local hosts 
> file. Give them the IP of the inbound Server (email.aon.at)
> 
> 195.3.96.71 email01.aon.at
> .
> .
> 195.3.96.71 email12.aon.at
> 
> Create /etc/mail/mailertable entries for each of them to...
> 
> email01.aon.at	esmtp:email.aon.at
> .
> .
> email12.aon.at	esmtp:email.aon.at
> 
> Works!
> 
> Milter-Sender see's a valid IP for those hosts now and doesn't claim 

Actually it sees that you have done something special with mailertable 
are willing to route them. Of course spam from email*.aon.at can now be 
relayed to email.aon.at, but its limited.

> RFC-3330 violations any more and he asks email.aon.at to verify the 
> senders. AND none of the filter-mechanisms had to be disabled for the rest 
> of the world.

Cute. Essentially you have given the mail servers from private IP space 
the public IP address of their MX in /etc/hosts. I'm curious why you 
added the mailertable entries though?

The solution I would have suggested would have been to add to 
/etc/mail/access:

	milter-sender-connect:email01.aon.at 		OK
	...
	milter-sender-connect:email12.aon.at 		OK

Which of course allows these servers to by-pass milter-sender hopefully 
to be caught be a 2nd spam defence.

-- 
Anthony C Howe                                 +33 6 11 89 73 78
http://www.snert.com/       ICQ:
7116561         AIM: Sir Wumpus

            "Once...we were here."  - Last of The Mohicans


Lists Index Date Thread Search